From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LxREV-0003jm-7n for garchives@archives.gentoo.org; Fri, 24 Apr 2009 19:38:47 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2DB30E056E; Fri, 24 Apr 2009 19:38:45 +0000 (UTC) Received: from mx01.admin-box.com (mx01.admin-box.com [78.47.249.108]) by pigeon.gentoo.org (Postfix) with ESMTP id C6D02E056E for ; Fri, 24 Apr 2009 19:38:44 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mx01.admin-box.com (Postfix) with ESMTP id 382672024B32 for ; Fri, 24 Apr 2009 21:38:44 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mx01.admin-box.com Received: from mx01.admin-box.com ([127.0.0.1]) by localhost (mx01.admin-box.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1lt2MoqAyVrF for ; Fri, 24 Apr 2009 21:38:42 +0200 (CEST) Received: from [192.168.0.137] (e179034180.adsl.alicedsl.de [85.179.34.180]) (Authenticated sender: daniel@troeder.de) by mx01.admin-box.com (Postfix) with ESMTPSA id 963692024B30 for ; Fri, 24 Apr 2009 21:38:42 +0200 (CEST) Subject: Re: [gentoo-user] Is this firewall safe? From: Daniel Troeder To: gentoo-user@lists.gentoo.org In-Reply-To: <93d30e950904241140u4b671695l2e7a60a427388491@mail.gmail.com> References: <93d30e950904240828t6e20bd22v2946d302c2cc5843@mail.gmail.com> <49F1F017.10302@cdf123.net> <1240593796.13872.20.camel@mayo.local> <93d30e950904241140u4b671695l2e7a60a427388491@mail.gmail.com> Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-DHx6p9l/SMyr0pCnN2Tk" Date: Fri, 24 Apr 2009 21:38:41 +0200 Message-Id: <1240601921.13872.131.camel@mayo.local> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.24.5 X-Archives-Salt: 8252ea7b-fee2-45a4-88ee-9a993b064370 X-Archives-Hash: 2bcff0b5aadb0ba8a21a2c72a9e31b62 --=-DHx6p9l/SMyr0pCnN2Tk Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Fri, 2009-04-24 at 18:40 +0000, Marco wrote: > On Fri, Apr 24, 2009 at 5:23 PM, Daniel Troeder wr= ote: > > On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote: > [...] > > While all that is correct, I would also consider it "bad network > > behavior" (no offense intended). >=20 > So you consider my 'reject-with' settings to be good practice? Yes :) > > It feels like "security through obscurity". It may hamper the > > well-working of a TCP/IP network, as that relies heavily on ICMP. >=20 > I was not really sure how to configure ICMP (ping) correctly. Any > input appreciated! That is really difficult, because ICMP is a family of lots of protocols, from which ping is just one. Others are important too, like telling routers/hosts about network congestion, and so on... I don't feel competent enough to give directions. I do always allow ping, as this is needed in a server environment to check for uptime, but your case may be different. > > Also: if you wish to scan (nmap) yourself to check your system > > (configuration), you'll wish for REJECT instead of DROP :) >=20 > You mean as the default policy? Yes, and also everywhere you use DROP. It's just, that you'll have to wait less for timeouts, when connecting to a closed port. If you decide to go with DROP, then you could make it globally switchable in your script, to change between testing and production environment/situation. Bye, Daniel --=-DHx6p9l/SMyr0pCnN2Tk Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) iEYEABECAAYFAknyFUEACgkQg3+4tbudSIfEAACdHd+YMHewts1tyN7ld0dO6Ghp i/QAoJbZZYDyMPZVmjcGj2GOMQ4Mzk2P =U3E1 -----END PGP SIGNATURE----- --=-DHx6p9l/SMyr0pCnN2Tk--